[Experimental] WireGuard for HND platform (4.1.x kernels)

[Odkrys]

1. Install WireGuard

You need Entware-aarch64-3.10 to use wireguard without a new firmware build.


ㅡ Kernel Module ㅡ

RT-AC86U, GT-AC2900 - 4.1.27

https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk

opkg install /path/wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk

RT-AX88U, GT-AX11000 - 4.1.51

https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k51_1_aarch64-3.10.ipk

opkg install /path/wireguard-kernel_1.0.20210219-k51_1_aarch64-3.10.ipk

RT-AX68U, RT-AX86U - 4.1.52

https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-kernel_1.0.20210219-k52_1_aarch64-3.10.ipk

opkg install /path/wireguard-kernel_1.0.20210219-k52_1_aarch64-3.10.ipk

ㅡ User space tool ㅡ

https://github.com/odkrys/entware-makefile-for-merlin/raw/main/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipk

opkg install /path/wireguard-tools_1.0.20210315-1_aarch64-3.10.ipk

cp /opt/etc/wireguard/S50wireguard /opt/etc/init.d

2. as Client configuration setting.

nano /opt/etc/init.d/S50wireguard

Mode=client

export LocalIP=
Route=default   #default or policy
export wgdns=
export Nipset=wgvpn

Init file has 5 options.
Mode=client

LocalIP is provided by VPN provider (e.g. AzireVPN, Mullvad) or your VPS.

default route will redirect your all internet traffic to VPN server.
policy work like Policy Rules (strict) on Merlin.

wgdns is option to change dns server.
Nipset is the name of ipset for ipset based policy routing.

AzireVPN, Mullvad, IVPN, TorGuard support WireGuard servers.

AzireVPN https://www.azirevpn.com/cfg/wg
Mullvad https://mullvad.net/en/servers/#wireguard
IVPN https://www.ivpn.net/wireguard
TorGuard https://torguard.net/knowledgebase.php?action=displayarticle&id=250

nano /opt/etc/wireguard/wg0.conf (example of AzireVPN)

[Interface]
PrivateKey = -------
Address = 10.40.12.49/19
DNS = 192.211.0.2

[Peer]
PublicKey = ----------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT

AzireVPN's config file looks like above one.
Fill the Address 10.40.12.49 at LocalIP of init file.

export LocalIP=10.40.12.49 (without prefix)
export wgdns=192.211.0.2

And comment out Address and DNS in the config file.
Then config file should looks like this. (I highly recommend you add keepalive.)

[Interface]
PrivateKey = -------
#Address = 10.40.12.49/19
#DNS = 192.211.0.2

[Peer]
PublicKey = -------
AllowedIPs = 0.0.0.0/0
Endpoint = IP:PORT
PersistentKeepalive = 25

Done. Start WireGuard.

/opt/etc/init.d/S50wireguard start

3. Advanced client settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997 2>/dev/null
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000 2>/dev/null
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq

4. as Server configuration setting.

(umask 077 && printf "[Interface]\nPrivateKey = " | tee /opt/etc/wireguard/wg1.conf > /dev/null)
wg genkey | tee -a /opt/etc/wireguard/wg1.conf | wg pubkey | tee /opt/etc/wireguard/server-publickey

nano /opt/etc/init.d/S50wireguard (example)

Mode=server

export Subnet=10.50.50.1/24   #e.g.)10.50.50.1/24
export wgport=51820

nano /opt/etc/wireguard/wg1.conf (Server uses wg1)

[Interface]
PrivateKey = ----------
ListenPort = 51820

[Peer]
PublicKey = ----------
AllowedIPs = 10.50.50.2/32

Done. Start WireGuard.

/opt/etc/init.d/S50wireguard start

4.5 Generate client QRcode.

Generator script will generate QRcode image for Android or iOS.
You need to install qrencode first.

opkg install qrencode

If you want to use your host address (192.168.50.1) as DNS server,
you have to add wg interface to Dnsmasq listening interface list.

sed -i '1s/^/interface=wg* \n/' /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

This script will ask you 3 options.
1. client name 2. client address 3. client DNS server



-------------------------------------------------------------------------
WireGuard use iptables so when the firewall is restarted, the rules will gone.
Please add this in nat-start script.

nano /jffs/scripts/nat-start

#!/bin/sh

WVPNROUTE=`ip route show | grep -i -a "dev wg"`
logger -s -t "($(basename $0))" $$ "Checking if WireGuard is UP...."$WVPNROUTE
if [ "$WVPNROUTE" != "" ];then
        logger -s -t "($(basename $0))" $$ "**Warning WireGuard is UP.... restarting WireGuard"
        /opt/etc/init.d/S50wireguard restart
fi

5. Remove WireGuard

/opt/etc/init.d/S50wireguard stop
opkg remove wireguard-kernel wireguard-tools
rm -r /opt/etc/wireguard
rm /opt/etc/init.d/S50wireguard

Scripts are not beautiful. They just work. Sorry, this is my best.
They have some rules to prevent duplicate.
The error messages (e.g. iptables) are not real error.
Don't worry.


Edit: iperf benchmark result.

WireGuard server on RT-AC86U. Windows 10 Tunsafe client. (https://tunsafe.com/download)
WireGuard author does not assure Tunsafe security. I just used it for benchmark purpose.

Spoiler

C:\iperf-2.0.9-win64>iperf -c 192.168.50.246 -N -M 1400 -t 20 -w 2M -P 5
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
WARNING: attempt to set TCP maximum segment size to 1400, but got 1281
------------------------------------------------------------
Client connecting to 192.168.50.246, TCP port 5001
TCP window size: 2.00 MByte
------------------------------------------------------------
[ 5] local 10.50.50.2 port 1911 connected with 192.168.50.246 port 5001
[ 7] local 10.50.50.2 port 1913 connected with 192.168.50.246 port 5001
[ 4] local 10.50.50.2 port 1910 connected with 192.168.50.246 port 5001
[ 6] local 10.50.50.2 port 1912 connected with 192.168.50.246 port 5001
[ 3] local 10.50.50.2 port 1909 connected with 192.168.50.246 port 5001
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-20.0 sec 220 MBytes 92.4 Mbits/sec
[ 7] 0.0-20.0 sec 205 MBytes 86.1 Mbits/sec
[ 4] 0.0-20.1 sec 230 MBytes 96.1 Mbits/sec
[ 6] 0.0-20.0 sec 227 MBytes 95.2 Mbits/sec
[ 3] 0.0-20.0 sec 212 MBytes 89.1 Mbits/sec
[SUM] 0.0-20.1 sec 1.07 GBytes 457 Mbits/sec

 

[Geraner]

Sounds interesting. Will try to take a look at it and test it during the weekend.
Will comeback with a followup. Will be nice to compare with my recent VPN speed test done, using OpenVPN.

 

[Geraner]

Finally managed to set it up and did a speed test.
You are right ... 400+ Mbps is possible.

At the same time, the CPU use is about 100% on both CPU's.

Wrote a short blog article about this test on my page.

 

[sfx2000]

Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

Lately my attention is more focused on SD-WAN applications, which is similar, but Layer 3 vs. Layer 2...

Good example of layer 3 implementations, and something worthing thinking about - ZeroTier

 

[ColinTaylor]

Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

I think you might be conflating his CPU utilization with CPU load (each core cannot exceed 100% utilization). Indeed, in his screen shot the CPU load is 5.34.

 

[Odkrys]

Finally managed to set it up and did a speed test.
You are right ... 400+ Mbps is possible.

At the same time, the CPU use is about 100% on both CPU's.

Wrote a short blog article about this test on my page.

Thanks for benchmark info.
There is no wireguard server or cheap vps in my country.
So I could not test max speed of it.

 

[Odkrys]

Nice work... no worries about top sending performance to 100% - I've had machines at 400-800 percent, and things are fine...

Lately my attention is more focused on SD-WAN applications, which is similar, but Layer 3 vs. Layer 2...

Good example of layer 3 implementations, and something worthing thinking about - ZeroTier

Entware already have Zerotier.

 

[Geraner]

I think you might be conflating his CPU usage with CPU load (each core cannot exceed 100% use). Indeed, in his screen shot the CPU load is 5.34.

Well this high CPU usage was only while I have done the Speedtest with Speedtest.net. Under normal usage, the CPU is around 1-2 %.
Did a couple of Speed tests in a row, before I took the screen shot. So it's not only one speed test I did once I got WireGuard running.

 

[Geraner]

3. Advanced settings.

For using Route=policy, wg-policy script has some rules.
Adjust to your situation.
Default table is 117.

nano /opt/etc/wireguard/wg-policy

#
##For ipset based Policy Routing
#

#ipset -N $Nipset hash:ip

#ip rule del prio 9997
#ip rule add fwmark 0x7000 table 117 prio 9997
#iptables -t mangle -D PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000
#iptables -t mangle -A PREROUTING -m set --match-set $Nipset dst -j MARK --set-mark 0x7000/0x7000

#service restart_dnsmasq

Can you explain more in detail how to use this config if I want to use policy based routing.
Everything works fine when I use the default and all my LAN devices are going out using the WireGuard connection.
All devices have fixed IP addresses locked by MAC address.

Please write an example how to wg-policy config should look like if I for example want to route LAN device 192.168.1.10 + 192.168.1.20 through the WireGuard connection.

 

[Odkrys]

Can you explain more in detail how to use this config if I want to use policy based routing.
Everything works fine when I use the default and all my LAN devices are going out using the WireGuard connection.
All devices have fixed IP addresses locked by MAC address.

Please write an example how to wg-policy config should look like if I for example want to route LAN device 192.168.1.10 + 192.168.1.20 through the WireGuard connection.

change Route to policy and add this to end of wg-policy script.

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null
ip rule add from 192.168.1.10 lookup 117 prio 11111
ip rule add from 192.168.1.20 lookup 117 prio 11112

This may enough for you.
Don't touch ##For ipset based Policy Routing part.
This two rules should be added to wg-down script too.

ip rule del prio 11111 2>/dev/null
ip rule del prio 11112 2>/dev/null

 

[RMerlin]

For best performance, make sure you run it on the second CPU core, so it won't share the same core as the rest of the routing/NATing code. For OpenVPN that provides a very significant performance boost.

 

[Odkrys]

For best performance, make sure you run it on the second CPU core, so it won't share the same core as the rest of the routing/NATing code. For OpenVPN that provides a very significant performance boost.

Wireguard supports multicore.

 

[Geraner]

@RMerlin, would it be possible to implement WireGuard inte Merlin firmware?
As Odkrys said, it's multicore aware. Uses both cores while testing. No extra configuration is necessary.

 

[RMerlin]

@RMerlin, would it be possible to implement WireGuard inte Merlin firmware?
As Odkrys said, it's multicore aware. Uses both cores while testing. No extra configuration is necessary.

No.

I have people asking me to implement Shadowsocks, Wireguard, L2TP, PPTP, XOR-patched OpenVPN... It just never ends, everyone wants his personal favorite tunneling solution implemented.

This is beyond the scope of my project, not gonna devote countless hours maintaining all of these different solutions. OpenVPN suits pretty much everyone's needs, it's highly flexible, and just supporting that one already takes a large chunk of development time. Not gonna duplicate this 3-4 times by also supporting a bunch of other technologies.

 

[RMerlin]

Beside, implementing Wireguard makes even less sense than the other solutions, since out of 8 different routers, only one single model would be able to support it.

 

[Odkrys]

Beside, implementing Wireguard makes even less sense than the other solutions, since out of 8 different routers, only one single model would be able to support it.

I totally agree with him.
Only RT-AC86U is able to run wireguard on Merlin firmware.

 

[sfx2000]

I have people asking me to implement Shadowsocks, Wireguard, L2TP, PPTP, XOR-patched OpenVPN... It just never ends, everyone wants his personal favorite tunneling solution implemented.

I agree...

That being said - OpenVPN, while very portable, is getting to be the not first choice, mostly for folks behind great country firewalls in my experience...

And the "solutions" there will never end - that is a bit of a race there...

 

[RMerlin]

That being said - OpenVPN, while very portable, is getting to be the not first choice, mostly for folks behind great country firewalls in my experience...

The tls-crypt support added in 2.4 takes care of that.

 

[Odkrys]

no more kernel error messages.
it will work smoothly from now on.
thanks.

 

[Shasarak]

Does anyone have a slightly more "starting from first principles", "step-by-step" guide to getting this working?